b'                                          January 23, 2007\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum/RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S BADGE ACCESS SYSTEM\n                            (OIG-07-A-10)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) report titled, Audit of NRC\xe2\x80\x99s\nBadge Access System.\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on December 19, 2006, have been incorporated, as appropriate, into\nthis report. The agency did not provide formal comments.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915, or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cELECTRONIC DISTRIBUTION\n\nFrank P. Gillespie, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nLuis A. Reyes, Executive Director for Operations\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n and Administration and Chief Information Officer, OEDO\nMichael R. Johnson, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nR. William Borchardt, Director, Office of New Reactors\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                     AUDIT REPORT\n\n\n                    Audit of NRC\xe2\x80\x99s Badge Access System\n\n                      OIG-07-A-10       January 23, 2007\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                                  Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nI.   EXECUTIVE SUMMARY\n\n         BACKGROUND\n\n         The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) automated badging\n         and card reader system is an important component of the agency\xe2\x80\x99s\n         physical security program. NRC uses the system to manufacture\n         photo-identification badges for employees, contractors, and visitors\n         and control their access within NRC\xe2\x80\x99s headquarters, regional\n         offices, and the Technical Training Center (TTC). NRC refers to its\n         system as the Access Control and Computer Enhanced Security\n         System/Photo Identification Computer System (ACCESS/PICS).\n         In this report, the system is referred to as ACCESS, and NRC\n         regional offices and TTC are referred to as field offices.\n\n         PURPOSE\n\n         The objective of this audit was to determine whether the current\n         badge access system meets its required operational capabilities\n         and provides for the security, availability, and integrity of the system\n         data.\n\n         RESULTS IN BRIEF\n\n         NRC\xe2\x80\x99s badge access system is capable of providing effective\n         support for NRC\xe2\x80\x99s physical security program. However, specific\n         cost-effective actions are needed to enhance this legacy system\xe2\x80\x99s\n         usage at NRC until a replacement system is implemented. Auditors\n         identified the following shortcomings with regard to ACCESS and\n         related badge accountability processes:\n\n            \xc2\x99   Weaknesses exist concerning system user access.\n            \xc2\x99   The system contains inaccurate data.\n            \xc2\x99   Badge accountability measures are inadequate.\n            \xc2\x99   System documentation is incomplete or missing.\n            \xc2\x99   TTC lacks a backup power supply for ACCESS.\n\n         These problems exist because concerns about ACCESS are\n         overshadowed by the agency\xe2\x80\x99s plan to replace the system as part\n         of its Homeland Security Presidential Directive -12 (HSPD-12)\n         solution. Left unaddressed, these weaknesses undermine the\n         effectiveness of NRC\xe2\x80\x99s physical security approach to control access\n         into and within NRC facilities.\n\n\n\n\n                                     i\n\x0c                                        Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nWeaknesses Exist Concerning User Access\n\nACCESS does not fully employ required user access controls.\nSpecifically, in headquarters and a field office, several people share\none user identifier (ID), 2 of 11 headquarters users have\ninappropriate access to the system, and a majority of the\nheadquarters users have been granted the highest level of system\naccess. Noncompliance with agency requirements has occurred\nbecause there is no routine review of the user access, limitations\nexist with one site\xe2\x80\x99s version of ACCESS, and NRC staff cannot\neasily define or differentiate the difference among ACCESS user\nroles. Without adequate user access controls, security information\nis vulnerable to errors or misuse.\n\nSystem Contains Inaccurate Data\n\nACCESS contains inaccurate data pertaining to special access\nareas and the current employee population. These data\ninaccuracies exist because NRC does not impose effective quality\nassurance measures over access lists or system data. Without\naccurate information, there is the possibility of security breaches\nand ineffective control over special access areas.\n\nBadge Accountability Measures Are Inadequate\n\nNRC lacks adequate control over temporary badges issued to staff\nand visitors, and over badges issued to contractors. Specifically,\n\n\xc2\xbe Temporary badges loaned to staff who forget or lose their badge\n  are not always returned the day they were issued.\n\xc2\xbe Temporary visitor badges are not inventoried and accounted for\n  on a daily basis at headquarters and three field office sites.\n\xc2\xbe Contractor badges are not always retrieved promptly or\n  deactivated once it is determined a particular contractor is no\n  longer working for NRC.\n\nTemporary and contractor badges are not always returned promptly\nbecause the agency has not asserted measures to enforce these\nrequirements. Daily reconciliation of visitor badges is not\nperformed at headquarters or several NRC field offices because\nNRC has not enforced this requirement. These weaknesses\nincrease NRC\xe2\x80\x99s risk that temporary and contractor badges will be\nmisused to gain unauthorized access into NRC facilities.\n\n\n\n\n                           ii\n\x0c                                                                Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                System Documentation Is Incomplete or Missing\n\n                NRC has not adhered to agency listed system security\n                requirements for ACCESS or followed up on penetration testing\n                results. This is because the agency has not viewed fulfillment of\n                these requirements as a priority given that (1) ACCESS is a legacy\n                system unlikely to attain certification and accreditation1 and (2) a\n                Government-wide interoperable solution is expected to replace\n                ACCESS in FY 2009. Without following security requirements,\n                NRC has limited assurance that ACCESS is adequately protected\n                against unauthorized access or other misuse. In addition, ACCESS\n                system owners and users are unable to locate relevant information\n                when needed.\n\n                TTC Lacks Backup Power Supply\n\n                TTC\xe2\x80\x99s card reader contingency plan in the event of a power failure\n                is workable, but causes unnecessary security risks. Under this\n                plan, each employee is assigned a metal key that unlocks doors\n                that are also controlled by ACCESS card readers. By replacing the\n                metal keys assigned to each TTC employee with a backup power\n                supply to support ACCESS in the event of a power failure, NRC\n                can reduce the chance that keys will be lost and used to gain\n                unauthorized access to TTC facilities. In addition, reliance on the\n                card readers will allow a more accurate record of access within\n                TTC facilities.\n\n                RECOMMENDATIONS\n\n                This report makes 17 recommendations to better ensure that\n                ACCESS meets its operational requirements. A consolidated list of\n                recommendations appears on pages 28-29 of this report.\n\n                AGENCY COMMENTS\n\n                At an exit conference held December 19, 2006, agency managers\n                agreed with the audit findings and recommendations and provided\n                comments concerning the report. We modified the report as we\n                determined appropriate. NRC opted not to submit formal written\n                comments to this final version of the report.\n\n\n\n\n1\n Certification is the comprehensive evaluation of a system\xe2\x80\x99s security features and other\nsafeguards that establishes the extent to which a particular design and implementation meet a\nspecified set of security requirements. Accreditation grants the system sponsor the authority to\noperate the system based on the certification process and other considerations.\n                                                iii\n\x0c                             Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ACCESS        ACCESS/PICS\n\n       ACCESS/PICS   Access Control and Computer Enhanced\n                     Security System/Photo Identification Computer\n                     System\n\n       C&A           certification and accreditation\n\n       DFS           Division of Facilities and Security\n\n       FY            fiscal year\n\n       NRC           Nuclear Regulatory Commission\n\n       HSPD-12       Homeland Security Presidential Directive \xe2\x80\x93 12\n\n       IATO          interim authority to operate\n\n       ID            identifier\n\n       ISSO          information system security officer\n\n       IT            information technology\n\n       MD            Management Directive and Handbook\n\n       OIS           Office of Information Services\n\n       TTC           Technical Training Center\n\n\n\n\n                            v\n\x0c                             Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                                       Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nTABLE OF CONTENTS\n\n\n    EXECUTIVE SUMMARY.............................................................................. i\n\n    ABBREVIATIONS AND ACRONYMS .......................................................... v\n\n    I.      BACKGROUND ................................................................................... 1\n\n    II.     PURPOSE............................................................................................ 4\n\n    III.    FINDINGS ............................................................................................ 5\n\n           A.   WEAKNESSES EXIST CONCERNING SYSTEM USER ACCESS ..................... 5\n           B.   SYSTEM CONTAINS INACCURATE DATA .................................................. 10\n           C.   BADGE ACCOUNTABILITY MEASURES ARE INADEQUATE........................... 15\n           D.   SYSTEM DOCUMENTATION IS INCOMPLETE OR MISSING ........................... 20\n           E.   TTC LACKS BACKUP POWER SUPPLY FOR ACCESS ................................ 25\n\n    IV.     AGENCY COMMENTS ........................................................................ 27\n\n    V.      CONSOLIDATED LIST OF RECOMMENDATIONS ............................ 28\n\n\n    APPENDIX\n\n           A.     SCOPE AND METHODOLOGY ..................................................... 31\n\n\n\n\n                                                    vii\n\x0c                             Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              viii\n\x0c                                                 Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nI.   BACKGROUND\n\n         NRC\xe2\x80\x99s automated badging and card reader system is an important\n         component of the agency\xe2\x80\x99s physical security program. NRC uses\n         the system to manufacture photo-identification badges for\n         employees, contractors, and visitors and control their access within\n         NRC\xe2\x80\x99s headquarters, regional offices, and the TTC. NRC refers to\n         its system as ACCESS/PICS. In this report, the system will be\n         referred to simply as ACCESS, and NRC regional offices and TTC\n         will collectively be referred to as field offices.\n\n         Controlling Access\n\n         NRC seeks to ensure that only authorized individuals have the\n         freedom to travel unescorted within agency facilities. Individuals\n         may be approved for unescorted access within NRC facilities\n         following the successful adjudication of a background investigation.\n         Approved individuals are issued NRC badges that are programmed\n         to permit unescorted access within NRC facilities. NRC\xe2\x80\x99s Division\n         of Facilities and Security (DFS), within the Office of Administration,\n         manages NRC\xe2\x80\x99s background investigation and badging process.\n\n         Unescorted access may be limited by time of day and location\n         within the facility. For example, NRC employees are automatically\n         allowed 24-hour access, while contractors are typically given\n         access only during business hours. Furthermore, while most staff\n         are afforded access only to NRC\xe2\x80\x99s general access areas, some are\n         additionally permitted entry to special access areas based on their\n         specific needs. Special access areas are sections of NRC\n         headquarters space \xe2\x80\x93 such as the headquarters day care center,\n         the guard office, or Incident Response Operations \xe2\x80\x93 that have\n         restricted access for prior approved individuals only.\n\n         NRC also issues temporary badges to employees and visitors.\n         Temporary badges assigned to employees are programmed to\n         allow unescorted access within NRC facilities. The majority of\n         temporary visitor badges are not programmed to allow passage\n         beyond card readers because most visitors must be escorted by an\n         NRC employee or other authorized individual while at NRC\n         premises.\n\n\n\n\n                                    1\n\x0c                                        Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nSystem Description\n\nTo gain access inside NRC facilities, individuals place their badges\nagainst card readers that are positioned at various locations\nthroughout the buildings. Wiring connects the card readers to a\n                                      host computer, which stores\n                                      the access rights afforded to\n                                      each badge holder and\n                                      communicates back to the\n                                      card reader whether access is\n                                      allowed at a particular door. If\n                                      access is permitted, the\n                                      reader displays a green light\n                                      and the door associated with\n                                      the reader may be opened. If\n                                      access is not permitted, the\n                                      light turns red and the door\n                                      remains locked.\n                                      Headquarters has 181\n                                      readers; the field offices have\n                                      between 7 and 28 card\n                                      readers each.\nNRC headquarters card reader\n\nHeadquarters uses a different version of ACCESS than the field\noffices; only the headquarters system manufactures badges\nwhereas all of the systems are used for access control. NRC\nsecurity guards at headquarters manufacture all headquarters and\nfield offices badges and program them for access to headquarters.\nField office badges are then sent to their respective locations where\nthey are programmed to allow access to the employee or\ncontractor\xe2\x80\x99s duty station.\n\nThe ACCESS systems in headquarters and the field offices do not\ncommunicate with each other, and none are connected to a\nnetwork.\n\nSystem Data\n\nThe headquarters ACCESS system contains 6,409 records of\nbadges (includes employee, contractor, temporary, visitor, and\nother badges) currently in use at NRC. Records for badges\nassigned to individuals include social security numbers that are\nneeded for the badge manufacturing process. Field office systems\ndo not store social security numbers. Figure 1 depicts a breakdown\nof NRC\xe2\x80\x99s 6,409 badges by type. Table 1 provides a comparison of\nthe headquarters and field office systems.\n                           2\n\x0c                                                             Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n\n                           Figure 1. NRC Badge Inventory, by Badge\n                                        Type (N=6,409)\n\n                         Temporary/\n                         Visitor/Other\n                              31%\n\n\n                                                                  Employee\n                                                                   Badges\n                                                                    52%\n\n\n                              Contractor\n                               Badges\n                                17%\n\n                 Table 1. Comparison of Headquarters and Field Office\n                 Systems\n\n                  System Characteristic            Headquarters          Field Offices\n                  Manufactures badges              Yes                   No\n                  Stores social security           Yes                   No\n                  number\n                  Controls access                  Yes                   Yes\n                  Connected to a network           No                    No\n                  Badges allow                     Yes                   Yes\n                  headquarters access\n                  Badges allow access to           No                    Yes\n                  field office2\n\n                 NRC has categorized ACCESS as a \xe2\x80\x9clisted\xe2\x80\x9d system for information\n                 security purposes. The term listed system refers to a computerized\n                 information system or application that processes sensitive\n                 information requiring additional security protections, and that may\n                 be important to NRC office or regional operations.\n\n                 Future Plans\n\n                 The approximately 15-year old ACCESS system is a legacy\n                 system, and NRC plans to replace it in FY 2009 (at the earliest) to\n                 comply with HSPD-12. This directive, issued in August 2004,\n\n2\n    Regional access control systems can be programmed to recognize headquarters badges.\n                                               3\n\x0c                                                   Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n          ordered the establishment of a mandatory Governmentwide\n          standard for secure and reliable forms of identification to be issued\n          by the Government to its contractors and employees. One of\n          HSPD-12\xe2\x80\x99s goals is that these identification badges be used for\n          physical access to all Government facilities.\n\n\nII.   PURPOSE\n\n          The objective of this audit was to determine whether the current\n          badge access system meets its required operational capabilities\n          and provides for the security, availability, and integrity of the system\n          data. Appendix A contains information on the audit scope and\n          methodology.\n\n\n\n\n                                      4\n\x0c                                                                 Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nIII. FINDINGS\n\n                NRC\xe2\x80\x99s badge access system is capable of providing effective\n                support for NRC\xe2\x80\x99s physical security program. However, specific\n                cost-effective actions are needed to enhance this legacy system\xe2\x80\x99s\n                usage at NRC until a replacement system is implemented. Auditors\n                identified the following shortcomings with regard to ACCESS and\n                related badge accountability processes:\n\n                (A)      Weaknesses exist concerning system user access.\n                (B)      The system contains inaccurate data.\n                (C)      Badge accountability measures are inadequate.\n                (D)      System documentation is incomplete or missing.\n                (E)      TTC lacks a backup power supply for ACCESS.\n\n                These problems exist because concerns about ACCESS are\n                overshadowed by the agency\xe2\x80\x99s plan to replace the system as part\n                of its HSPD-12 solution. Left unaddressed, however, these\n                weaknesses undermine the effectiveness of NRC\xe2\x80\x99s physical\n                security approach to control access into and within NRC facilities.\n\n      A. Weakness Exist Concerning System User Access\n\n                ACCESS does not fully employ the user access controls identified\n                in Management Directive and Handbook (MD) 12.5, \xe2\x80\x9cNRC\n                Automated Information Security Program.\xe2\x80\x9d Specifically, in\n                headquarters and a field office, several people share one user ID,3\n                2 of 11 headquarters users have inappropriate access to the\n                system, and a majority of the headquarters users have been\n                granted the highest level of system access. Noncompliance with\n                MD 12.5 has occurred because there is no routine review of the\n                user access, limitations exist with one site\xe2\x80\x99s version of ACCESS,\n                and DFS staff cannot easily define or differentiate the difference\n                among ACCESS user roles. Without adequate user access\n                controls, security information is vulnerable to errors or misuse.\n\n                System Requirements\n\n                MD 12.5 details the requirements and responsibilities for protection\n                of information and information systems. Specifically, MD 12.5\n                Appendix A, \xe2\x80\x9cNRC Systems Development and Maintenance\n                Security Controls,\xe2\x80\x9d provides guidance for information system\n\n\n\n3\n  A user ID is a unique symbol or character string that an individual uses to log on to an\ninformation system.\n                                                 5\n\x0c                                                              Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                owners. Two security areas that must be addressed when\n                implementing or upgrading an information system are (1)\n                identification and authentication and (2) discretionary access.\n\n                Identification and authentication controls provide the capability to\n                establish, maintain, and protect a unique ID and password for each\n                authorized user. MD 12.5 Appendix A states that user IDs must be\n                issued on a one-to-one basis, meaning each system user must\n                have his or her own unique ID.\n\n                Discretionary access controls allow the administrator to configure\n                the system to ensure that authenticated users can access and\n                perform operations on only the system resources for which they\n                have authorization. MD 12.5 Appendix A states that access control\n                lists should be used to designate which users have specific\n                permissions. A related concept is the principle of least privilege,\n                which MD 12.5 defines as the practice of restricting user access to\n                data files and levels of access (e.g., read, write, delete) to the\n                minimum amount necessary for job performance.\n\n                Inappropriate System Access\n\n                ACCESS does not fully employ the user access controls identified\n                in MD 12.5 Appendix A. Specifically, in headquarters and a field\n                office, several people share one user ID, 2 of 11 headquarters\n                users have inappropriate access to the system, and a majority of\n                the headquarters users have been granted the highest level of\n                system access.\n\n                Auditors identified two situations where more than one person uses\n                ACCESS through the same user ID. In one case, a single user ID\n                is used by seven headquarters security guards, five of whom work\n                at a particular post in the Central Alarm Station. This post is\n                responsible for monitoring physical security and handling\n                headquarters security issues and officers, who cover the post at\n                different times of the day, can use the common ID to perform tasks\n                in ACCESS. A sixth officer who shares the common ID uses\n                ACCESS each week to disable temporary badges that were loaned\n                but not returned. In the other case, which occurred at a field office,4\n                two users share a common user ID on that site\xe2\x80\x99s version of\n                ACCESS. These individuals share an office and job responsibilities\n                related to ACCESS.\n\n\n\n4\n Auditors also found sharing of IDs in another field office, but this issue was addressed in a\nseparate Office of the Inspector General audit on computer security (OIG-06-A-15, dated July 11,\n2006).\n                                               6\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nAuditors interviewed 22 system users in headquarters and at NRC\nfield offices to determine whether (1) they truly need access to the\nsystem and (2) their assigned system role was appropriate. A\nsystem role is assigned to each user\xe2\x80\x99s login ID and illustrates what\nlevel of system rights (read, write, delete) that individual should\nhave.\n\nMost users were appropriately given access to the system.\nHowever, 2 out of 11 individuals on the headquarters user list\nshould not have access to the system. One individual, who\nformerly required system access as part of a prior job assignment,\nno longer required such access because of a promotion that\noccurred about 2 years ago. The other individual given access\ninappropriately was a DFS contractor who performed overall\nACCESS system maintenance on a routine basis but was not\napproved by NRC for any access to work with information\ntechnology (IT) systems. NRC requires contractors to undergo a\nspecific type of background investigation before they can work with\nagency IT systems, and in this case the contractor had not\nundergone the necessary review.\n\nMore than half of the individuals in headquarters with system\naccess had system administrator rights. Of the 11 user accounts\nassigned to specific individuals to gain access to the headquarters\nsystem, 6 had the system administrator role. This level of access\nallows the users to read and write all the fields, and delete records.\nFurthermore, an additional two accounts with system administrator\nrights were not assigned to people, but instead were reserved for\nthe performance of specific tasks. These accounts seem\nunnecessary, given that the individuals who perform these tasks\nhave their own system administrator accounts associated with their\nnames.\n\nNo Routine Review\n\nAccess controls for ACCESS are not in compliance with MD 12.5\nbecause there is no routine review of user access. DFS managers\ndid not identify a need to create separate user accounts for security\nguards stationed at a particular post, and the system version in the\nfield office where the user ID is shared does not allow separate IDs\nto be created for multiple users with the same role. In addition,\nDFS staff cannot easily define or differentiate among ACCESS user\nroles.\n\n\n\n\n                           7\n\x0c                                          Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nInappropriate individuals have access to the system because DFS\nstaff do not routinely review the user list to determine whether users\ncontinue to need system access. In addition, without knowledge of\nthe different levels of access, there is no way to verify that all of the\nusers have the appropriate level or if their access levels need to be\nadjusted.\n\nDFS allows multiple headquarters security guards to share one\nuser ID because managers did not identify a need to create\nseparate accounts. Furthermore, a software limitation exists within\nthe field office using shared IDs that does not allow multiple users\nto be granted the same level of access. The system administrator\nin that field office decided to accept the risk of allowing two people\nto share one account rather than allow one person to have more\naccess than their counterpart.\n\nDFS assigns the system administrator role to most users because\nstaff who make such assignments cannot readily define the\ndifferent ACCESS roles but know that the system administrator role\nwill allow users to perform any task needed. A DFS employee\nstated that identifying the limitations of the different roles has not\nbeen a priority for the office.\n\nSystem Data At Risk\n\nAllowing individuals too much or shared access to system data\nplaces the information in the system at risk of inadvertent or\ndeliberate manipulation or misuse. While a DFS manager stated\nthat there have been no known breaches in security, without the\nproper access controls the system data and NRC security remains\nvulnerable.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1.     Perform an annual assessment of the user list for ACCESS\n       and modify it appropriately in accordance with least privilege\n       guidance.\n\n2.     Require separate user IDs for each user.\n\n\n\n\n                            8\n\x0c                                      Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n3.   Assess the cost-effectiveness of updating the field office\xe2\x80\x99s\n     version of software to allow multiple user IDs with the same\n     role, and install the updated version if assessment indicates\n     benefits exceed costs.\n\n4.   Define and document user roles and associated rights.\n\n\n\n\n                         9\n\x0c                                                           Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n     B. System Contains Inaccurate Data\n\n               ACCESS contains inaccurate data pertaining to special access\n               areas and the current employee population. These data\n               inaccuracies exist because DFS does not impose effective quality\n               assurance measures over access lists or system data. Without\n               accurate information, there is the possibility of security breaches\n               and ineffective control over special access areas.\n\n               Data Requirements\n\n               Government managers must implement effective management\n               controls over their programs. Office of Management and Budget\n               Circular No. A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal\n               Control,\xe2\x80\x9d states that effective internal control provides reasonable\n               assurance that effective and efficient operations are being\n               achieved. Management Directive 4.4, \xe2\x80\x9cManagement Controls,\xe2\x80\x9d\n               states that management controls should reasonably ensure\n               programs achieve their intended results and that reliable and timely\n               information is obtained, maintained, reported, and used for\n               decisionmaking.\n\n               ACCESS is designed to provide information on who has access to\n               NRC facilities and the level of access that these individuals have.\n               ACCESS information should accurately reflect the current\n               employee and contractor population and their access rights.\n\n               Data Inaccuracies\n\n               ACCESS contains inaccurate data pertaining to (1) special access\n               areas and (2) the current employee population. Specifically, people\n               have inappropriate access to special access areas, former NRC\n               employees remain in the system, and some field office location\n               designations are inappropriate.\n\n                            Special Access Areas\n\n               OIG reviewed access lists5 for five special access areas in\n               headquarters and found that all but one mistakenly included\n               individuals who should not have access to those areas. One list,\n               which allowed 52 people access, included 9 individuals who no\n               longer needed access to this space. The day care center list\n               included 170 names6 of individuals who no longer needed access,\n\n5\n  The lists were generated from ACCESS and show which individuals\xe2\x80\x99 badges are programmed to\nallow access into these special access areas.\n6\n  Some names were listed more than once.\n                                            10\n\x0c                                                               Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                including one employee who had not had children in the center for\n                more than 4 years. A point-of-contact7 for a different special\n                access area said the access list for the space had too many people\n                on it because people failed to provide notification when they no\n                longer needed access. This individual was working with DFS to\n                remove those with inappropriate access.\n\n                In addition, auditors learned that DFS has given nearly unrestricted\n                access rights to a \xe2\x80\x9csuper user\xe2\x80\x9d group of 28 individuals who are\n                responsible for responding to headquarters security and facility\n                emergencies and therefore need access to NRC\xe2\x80\x99s special access\n                areas. These \xe2\x80\x9csuper users\xe2\x80\x9d \xe2\x80\x93 primarily staff in DFS \xe2\x80\x93 have access\n                to almost every special access area (there is one exception) within\n                NRC headquarters, and while several points-of-contact were\n                generally aware of the \xe2\x80\x9csuper user\xe2\x80\x9d group, they did not know how\n                many individuals or who specifically had such access. One point-\n                of-contact was unaware of the group entirely.\n\n                Auditors reviewed the list of \xe2\x80\x9csuper users,\xe2\x80\x9d and determined it\n                contained two inappropriate people: a former Executive Director for\n                Operations and a DFS contractor responsible for maintaining the\n                ACCESS system.\n\n                              Current Employee Population\n\n                ACCESS contains former employees and incorrect location\n                designations for some employees. OIG reviewed ACCESS data to\n                determine whether (1) employees who had left NRC during a 3-\n                month period had been removed from the headquarters system at\n                the end of the 3 months (2) employees who had transferred\n                between NRC locations during this period were accurately reflected\n                in the data, and (3) data corrections provided by one field office to\n                headquarters were incorporated into the headquarters system.\n                This review found that 26 of 94 employees who terminated during\n                the 3-month time period still had active records within ACCESS.8 In\n                addition, three of the eight people who had transferred offices\n                during this timeframe were recorded incorrectly within ACCESS in\n                that the current duty station was incorrect and a new badge had not\n                been issued to the employee that reflected the new duty station.\n\n\n\n\n7\n  DFS keeps a list of points-of-contact associated with each special access area. The point-of-\ncontact is the individual designated to communicate with DFS about changes to the special\naccess lists.\n8\n  Of the 26 individuals who terminated but had not been removed from the headquarters\nACCESS system, 17 were field office employees.\n                                               11\n\x0c                                                        Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n               With regard to corrections provided by field offices, 7 of 23\n               corrections requested by a field office had not been incorporated\n               into ACCESS. Table 2 summarizes the results of this data\n               analysis.\n\nTable 2. Data Accuracy Assessment Results\n\nCategory              Number of Files        Number With           Error Rate\n                      Checked                Errors\n\nTerminations          94                     26                    28 %\n\nGeographical\ntransfers             8                      3                     38 %\n\nField office\ncorrection\nrequests              23                     7                     30 %\n\nTotal                 125                    36                    29 %\n\n               Auditors also determined that two field office systems contain\n               names of many former NRC employees. These field offices add\n               headquarters employees to their systems when they come to the\n               site for a visit/training but do not routinely remove these individuals\n               when the visit/training concludes. In contrast, one field office\n               described a routine, deliberate effort to remove such individuals\n               after they terminate their NRC employment.\n\n               Quality Assurance Measures Are Missing\n\n               ACCESS data inaccuracies exist because DFS does not impose\n               effective quality assurance measures over access lists or system\n               data. There is no routine review of special access area lists, no\n               oversight to ensure that terminated employees are removed from\n               the headquarters system in a timely manner, and no written\n               guidance to ensure that transfers are reflected accurately in the\n               system or that field offices remove former employees from their\n               systems.\n\n\n\n\n                                          12\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n            Special Access Areas\n\nThere are inappropriate people on the special access area lists\nbecause there are no quality control steps to ensure that people are\nremoved from these lists. DFS staff rely on special access area\npoints-of-contact to keep their lists current; however, points-of-\ncontact have differing understandings of this responsibility.\n\nOIG interviewed six points-of-contacts for special access areas,\nhalf of whom did not know they could request a list of people with\naccess to the special access areas. One point-of-contact was\nunaware of the responsibilities of being a point-of-contact. Another\npoint-of-contact performs quarterly checks to ensure their list is\naccurate, but must proactively request their list from DFS, which\ndoes not provide the lists unless asked.\n\nIn addition, DFS does not conduct effective reviews of its own\nsuper user group. While a DFS employee stated that the list is\nreviewed occasionally during the year, the fact that it contained two\nindividuals who should not be on it suggests the review is\nineffective.\n\n            Current Employee Population\n\nThe headquarters ACCESS system does not accurately reflect the\ncurrent employee population because (1) DFS staff do not always\nremove employees from ACCESS in a timely manner and (2) there\nare no standard operating procedures to ensure that the correct\nsteps are taken in denoting regional transfers within ACCESS. The\nfield office ACCESS systems contain names of employees who no\nlonger work for the agency because there is no guidance instructing\nthese offices to remove former employee names.\n\nRisk of Security Breaches\n\nWithout accurate information, there is the possibility of security\nbreaches and ineffective control over special access areas. By\nallowing people to have inappropriate access to special access\nareas, there is no guarantee that only the correct people have\naccess to protected space. Having unnecessary names in the\nsystem also means the database does not reflect the current\npopulation, which could create confusion for DFS employees or\nsecurity guards who generate temporary badges for employees.\nHaving accurate data will be essential if any of this information will\nbe used in the new HSPD-12 system or if both systems will be\nmaintained concurrently for any length of time.\n\n                           13\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n5.    Institute quarterly quality assurance reviews of system data\n      to ensure that system data is accurate with regard to special\n      access areas, terminated employees, and terminated\n      contractors.\n\n6.    Conduct quarterly reviews of super user lists, modify\n      appropriately, and send to special access points-of-contact.\n\n7.    Provide official agency list of departures to all field office\n      badging officials to facilitate removal of terminated\n      employees.\n\n8.    Write and implement badge access system operating\n      procedures that provides system user guidance and\n      incorporates the preceding three recommendations.\n\n\n\n\n                           14\n\x0c                                                              Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n      C. Badge Accountability Measures Are Inadequate\n\n                NRC lacks adequate control over temporary badges issued to staff\n                and visitors, and over badges issued to contractors. Specifically,\n\n                \xc2\xbe Temporary badges loaned to staff who forget or lose their badge\n                  are not always returned the day they were issued.\n                \xc2\xbe Temporary visitor badges are not inventoried and accounted for\n                  on a daily basis at headquarters and three field office sites.\n                \xc2\xbe Contractor badges are not always retrieved promptly or\n                  deactivated once it is determined a particular contractor is no\n                  longer working for NRC.\n\n                Temporary and contractor badges are not always returned promptly\n                because the agency has not asserted measures to enforce these\n                requirements. Daily reconciliation of visitor badges is not\n                performed at headquarters or several NRC field offices because\n                NRC has not enforced this requirement. These weaknesses\n                increase NRC\xe2\x80\x99s risk that temporary and contractor badges will be\n                misused to gain unauthorized access into NRC facilities.\n\n                Badge Requirements\n\n                NRC requirements pertaining to the control of employee,\n                contractor, and visitor badges are included in Management\n                Directive and Handbook (MD) 12.1, \xe2\x80\x9cNRC Facility Security\n                Program,\xe2\x80\x9d and MD 12.3, \xe2\x80\x9cNRC Personnel Security Program.\xe2\x80\x9d\n                These MDs require that:\n\n                (1) Temporary badges assigned to employees and contractors be\n                returned at the end of the work day to the guard or receptionist\n                desk from which they were issued.9\n\n                (2) Temporary badges issued to visitors be inventoried and\n                accounted for on a daily basis.\n\n                (3) NRC offices that sponsor a contractor arrange for the immediate\n                return of badges and immediate written notification to DFS when\n                the contractor no longer needs access to NRC facilities.\n\n\n\n\n9\n  MD 12.1 states that temporary badges for employees must be returned on a daily basis but\ndoes not specifically mention contractor temporary badges. However, a DFS official stated that\nthe expectation is that all temporary badges issued are to be returned daily.\n                                              15\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nBadge Controls Not Imposed\n\nNRC headquarters and three field offices do not impose daily\ncontrol requirements over temporary badges assigned to\nemployees, contractors, and visitors. Furthermore, contractor\nbadges are not always returned to NRC and DFS is not always\nnotified promptly when a contractor no longer needs access to NRC\nfacilities.\n\n            Temporary Employee and Contractor Badges\n\nNRC headquarters and three field offices do not assess whether\ntemporary employee and contractor badges are returned daily and\ntherefore could not provide definitive numbers concerning staff\xe2\x80\x99s\nfailure to return badges. However, based on interviews with staff\nresponsible for tracking temporary badges at headquarters and all\nfive field office sites, auditors learned that it is not infrequent for\nthese badges, which allow unescorted access within NRC facilities,\nto be retained for more than a day.\n\nAccording to a headquarters security officer who performs weekly\ninventories of the temporary badges, on average, seven or eight\ntemporary headquarters badges are not returned each week.\nAnother headquarters security officer recalled that one employee\nrecently returned four temporary badges that had been assigned to\nthis individual concurrently. At the field offices, individuals\nresponsible for tracking temporary badges described occasions\nwhere they needed to contact individuals to return temporary\nbadges. In one region, it was reported that about two temporary\nbadges are lost per year while on loan to individuals and therefore\nnever returned.\n\nAt headquarters and each of the five field offices, staff who are\nresponsible for tracking temporary badges said that they attempt to\nretrieve badges after determining the badges were not returned.\nThe number of days it takes to initiate such contact was dependent\non the frequency with which the staff reconcile the temporary\nbadges. At two locations, such reconciliation occurred daily; thus\nretrieval efforts were timely. Retrieval efforts were less timely at the\nremaining four locations where reconciliations occurred either every\nfew days or weekly.\n\nAt headquarters and two field offices, staff stated that they\ndeactivate temporary badges if they are not returned after such\nretrieval efforts. Again, however, time to deactivate is dependent\non how quickly the site becomes aware it is missing.\n\n                           16\n\x0c                                                               Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                              Temporary Visitor Badges\n\n                At headquarters and three field offices, temporary visitor badges\n                are not inventoried and accounted for on a daily basis.\n                Headquarters performs this type of inventory on a weekly basis, but\n                does not follow up when these badges, which are not programmed\n                to permit passage beyond a card reader, are not returned.\n\n                At two field offices, visitor badges are tracked on a daily basis. At\n                one site, an expiring paper badge system is used for visitors\n                requiring escorted access.10 At a different field site, a staff member\n                inventories the visitor badges daily and follows up with the NRC\n                employee escort when a visitor badge is not returned.\n\n                              Contractor Badges\n\n                NRC project officers are not always able to retrieve contractor\n                badges from contractors no longer working on an NRC contract and\n                they do not always notify DFS immediately when a contractor stops\n                working on the NRC contract.\n\n                OIG contacted 11 NRC project officers11 who had experience with\n                contractor badge retrieval and 7 described instances where they\n                had difficulty or were unable to retrieve a contractor\xe2\x80\x99s badge.\n                Project officers would usually attempt to retrieve the badge\n                themselves \xe2\x80\x93 sometimes for at least a week or two \xe2\x80\x93 and when\n                they realized they were not going to be successful, they would\n                usually notify DFS to terminate the contractor\xe2\x80\x99s access. One\n                individual never notified DFS that the badge had not been returned\n                and another provided such notification in response to a letter DFS\n                sent to all project officers inquiring about the status of their\n                contractors.\n\n                Return Requirements Not Enforced\n\n                Temporary badges are not always returned promptly because the\n                agency has not asserted measures to enforce the daily return\n                requirement. For example, there is no requirement for security staff\n                to account for these badges on a daily basis; therefore, a non-\n                returned badge can easily remain undetected. Furthermore, the\n                temporary badges are not deactivated promptly, which allows the\n\n10\n   These badges, which are assigned to individuals upon their arrival, gradually change in\nappearance throughout the day. At time of assignment to a visitor, they feature the visitor\xe2\x80\x99s name\nin black print on a white background. After approximately 8 hours, however, diagonal pink stripes\nappear clearly on the background, indicating that the person is no longer authorized as a visitor.\n11\n   One individual was not a project officer, but a contract technical monitor who served as the\ncontact person to deal with DFS on badging matters.\n                                               17\n\x0c                                         Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nindividual to whom such a badge was loaned to keep using it\nsuccessfully to pass through card reader control points within the\nNRC facility from which it was assigned.\n\nDaily reconciliation of visitor badges is not performed at several\nNRC locations because the agency has not enforced this\nrequirement. Furthermore, NRC staff do not make a concerted\neffort to retrieve these badges because they perceive no risk\nassociated with these badges, which are not programmed to allow\nthe holder beyond any card reader control points.\n\nContractor badges are not always returned promptly because there\nis no contractual incentive for the contractor to return the badge.\nDFS is not always notified promptly about a contractor no longer\nrequiring access because project officers typically try to retrieve the\nbadge before notifying DFS, and in cases where the badge is not\nretrieved promptly, this notification is subsequently delayed.\n\nPotential for Misuse\n\nAll NRC badges could be misused by individuals with malicious\nintent who are not authorized for entry into NRC facilities. Such\nindividuals could use the badges to gain entry into NRC and then\nmove around freely within the facility to commit petty theft, cause\nphysical harm, or gain access to classified information.\n\nWhile it is easier to envision the potential harm caused by a lost\ntemporary or contractor badge (which allow unescorted access), a\nlost visitor badge could also be misused. Visitor badges look\nsimilar to non-visitor badges, and someone in possession of one\ncould easily tailgate through a control point behind a non-visitor.\nNRC needs to tighten its badge control processes to minimize its\nrisk of a non-authorized individual gaining access beyond NRC\ncontrol points.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n9.     Conduct daily reconciliations of temporary badges and\n       disable access for badges not returned.\n\n10.    Replace the current visitor badges with expiring paper\n       badges.\n\n\n\n\n                           18\n\x0c                                      Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n11.   Include clauses in new contracts imposing a financial penalty\n      for badges not returned.\n\n12.   Reiterate to NRC project officers the need to notify DFS\n      immediately when a contractor no longer needs access to\n      NRC facilities.\n\n\n\n\n                         19\n\x0c                                              Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nD. System Documentation Is Incomplete or Missing\n\n       NRC has not adhered to agency listed system security\n       requirements for ACCESS or followed up on penetration testing\n       results. This is because the Office of Information Services (OIS)\n       and DFS do not view fulfillment of these requirements as a priority\n       given that (1) ACCESS is a legacy system unlikely to attain\n       certification and accreditation and (2) a Government-wide\n       interoperable solution is expected to replace ACCESS in FY 2009.\n       Without following security requirements, NRC has limited\n       assurance that ACCESS is adequately protected against\n       unauthorized access or other misuse. In addition, ACCESS system\n       owners and users are unable to locate relevant information when\n       needed.\n\n       IT Security Requirements\n\n       NRC guidance requires the implementation of administrative,\n       technical, and physical security measures appropriate for the\n       protection of NRC information and information systems.\n       Furthermore, it is prudent for agency managers to follow up on\n       reports that identify IT system weaknesses.\n\n                    Listed System Requirements\n\n       According to MD 12.5, listed systems such as ACCESS must have\n       the following:\n\n       Inclusion in the OIS master system inventory. This is an overall\n       listing of all NRC information technology systems.\n\n       System security plan. This plan addresses the system\xe2\x80\x99s\n       functionality, production environment, and security controls and\n       countermeasures to prevent or detect a security incident or mitigate\n       the impact of a security breach. This plan should also include\n       procedures for training individuals permitted system access,\n       procedures for monitoring the effectiveness of security controls,\n       and provisions for continuity of operations in the event of system\n       disruption or failure.\n\n\n\n\n                                 20\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                 Information system security officer (ISSO). The ISSO is a\n                 trusted position with special access to and authority for a system.\n                 Responsibilities include developing and monitoring the system\xe2\x80\x99s\n                 security rules of behavior and other security controls, ensuring that\n                 the certification and accreditation process is completed, ensuring\n                 that system security program reviews and periodic security testing\n                 are completed, and ensuring that the status of remediation activities\n                 are tracked and reported until completion.\n\n                 Certification and accreditation (C&A). This process is defined in\n                 footnote 1. The C&A process for listed systems is also fulfilled\n                 when the OIS authorizing official issues an interim authority to\n                 operate (IATO).12\n\n                               Addressing Identified Weaknesses\n\n                 Management followup to address report findings and\n                 recommendations is a prudent management best practice.\n                 Following up on security related reports helps managers identify\n                 risks and subsequently determine the acceptable level of risk to\n                 ensure that adequate security is maintained.\n\n                 NRC Has Not Met Requirements\n\n                 NRC has not (1) adhered to agency listed system security\n                 requirements for ACCESS or (2) followed up on penetration testing\n                 results.\n\n                               Listed System Requirements Not Fulfilled\n\n                 ACCESS appears on the agency\xe2\x80\x99s master systems inventory but\n                 does not adhere to the other listed system requirements specified\n                 in MD 12.5. ACCESS lacks the following:\n\n                 \xc2\xbe System Security Plan\n                 \xc2\xbe Information System Security Officer\n                 \xc2\xbe Certification and Accreditation\n\n\n\n\n12\n   An IATO is issued if, after assessing the results of the security certification, the authorizing\nofficial deems that the risk to agency operations, assets, or individuals is not fully acceptable, but\nthere is an overarching mission necessity to place the information system into operation or\ncontinue its operation. The duration established for an IATO should be commensurate with the\nrisk to agency operations, agency assets, or individuals associated with the operation of the\ninformation system. When the security-related deficiencies have been adequately addressed, the\nIATO should be lifted and the information system authorized to operate.\n                                                 21\n\x0c                                                                 Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n                                   System Security Plan\n\n                  Despite MD 12.5 requirements, OIS has not approved and DFS has\n                  not written a current system security plan. A DFS employee\n                  provided auditors with an inadequate and outdated ACCESS\n                  security plan that contains the following discrepancies:\n\n                  \xc2\xbe Lacks key information such as the date, approval, and author.\n                  \xc2\xbe Incorrectly categorizes ACCESS as a major application.\n                  \xc2\xbe Does not base its information sensitivity categorization on\n                    current criteria.\n                  \xc2\xbe Does not address the controls in place that pertain to the\n                    ACCESS stand-alone components that are located in the NRC\n                    field offices.\n\n                  DFS staff were unable to provide clarifying information regarding\n                  this security plan, other than acknowledging that it was obsolete.\n                  One DFS employee recalled drafting this version of the security\n                  plan a long time ago and providing it to an OIS13 employee for\n                  review. OIS provided feedback, which was incorporated by DFS\n                  and returned to OIS. However, at that point, the employee recalled,\n                  correspondence ended and OIS never provided further feedback.\n\n                                   Information System Security Officer\n\n                  NRC has not appointed an ISSO for ACCESS as required by MD\n                  12.5. Although several staff are involved with responsibilities\n                  concerning the management and operation of ACCESS, the system\n                  roles have not been clearly defined. Several individuals conveyed\n                  that they have key roles and responsibilities that are similar to\n                  those of an ISSO. For example, one DFS employee claimed to be\n                  the system point-of-contact, while an employee in the Office of\n                  Administration claimed responsibility for handling office IT issues\n                  and performing troubleshooting activities related to ACCESS. This\n                  employee also claimed to share the ISSO role with another Office\n                  of Administration employee; however, there was no indication that\n                  this was an official assignment.\n\n                                 Periodic Certification and Accreditation\n\n                  ACCESS has not been certified and accredited in accordance with\n                  MD 12.5. Although an agency official document states that in FY\n                  2005, ACCESS had an interim authority to operate, the agency\n                  could not provide any documentation supporting this status. OIS\n                  and DFS employees were unable to provide the ACCESS interim\n\n13\n     OIS was formerly named the Office of the Chief Information Officer.\n                                                 22\n\x0c                                       Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nauthority to operate memorandum or any documentation that would\nhave been reviewed in order to grant the interim authority to\noperate.\n\n            No Follow Up on Penetration Testing Results\n\nOIS conducted a penetration test on ACCESS in the fall of 2005\nand provided the results to DFS with the expectation that the\nweaknesses would be addressed. However, DFS did not address\nthe reported weaknesses and OIS did not follow up to ensure that\nthe weaknesses were addressed.\n\nRequirements Not Given Priority\n\nOIS and DFS managers have not expended resources to complete\nlisted system security requirements for ACCESS or correct the\nweaknesses identified in the penetration test results because\nmanagers do not view these actions as a priority. Management\nofficials representing OIS and DFS have expressed that resources\nare not being expended on ACCESS given that 1) ACCESS is a\nlegacy system unlikely to attain certification and accreditation and\n2) a Government-wide interoperable information technology\nsolution is expected to replace ACCESS within the next 2 to 3\nyears.\n\nOIG acknowledges that it would not be cost-effective to implement\nthe full scope of security controls for ACCESS; however, certain\ncontrols are essential to mitigate risks associated with the system.\nNRC needs to pursue the cost-effective controls and document why\nother controls will not be pursued at this time.\n\nLimited Assurance of Protection\n\nWithout adhering to NRC system security requirements and\nfollowing up on penetration testing results, NRC has limited\nassurance that the system is sufficiently protected against\nunauthorized access, use, disclosure, disruption, modification, or\ndestruction of information and property. In addition, ACCESS\nsystem owners and users are unable to locate relevant information\nwhen needed.\n\n\n\n\n                          23\n\x0c                                     Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n13.   In accordance with NRC requirements for listed systems,\n      develop an ACCESS system security plan and appoint an\n      Information System Security Officer.\n\n14.   Develop documentation to support the ACCESS interim\n      authority to operate.\n\n15.   Complete the actions necessary to address the ACCESS\n      weaknesses contained in the penetration test report.\n\n\n\n\n                        24\n\x0c                                              Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nE. TTC Lacks Backup Power Supply for ACCESS\n\n      TTC\xe2\x80\x99s card reader contingency plan in the event of a power failure\n      is workable, but causes unnecessary security risks. Under this\n      plan, each employee is assigned a metal key that unlocks doors\n      that are also controlled by ACCESS card readers. By replacing the\n      metal keys assigned to each TTC employee with a backup power\n      supply to support ACCESS in the event of a power failure, NRC\n      can reduce the chance that keys will be lost and used to gain\n      unauthorized access to TTC facilities. In addition, reliance on the\n      card readers will allow a more accurate record of access within\n      TTC facilities.\n\n      Backup Power Benefit\n\n      It is important from a security perspective to have an ACCESS\n      contingency plan in place to use if electricity fails. Contingency\n      plan elements can include coverage at control points by security\n      guards, an uninterrupted power supply that would allow continued\n      coverage by ACCESS during a power outage, and keys that staff\n      would use if the uninterrupted power supply failed.\n\n      TTC Lacks Backup Power\n\n      TTC\xe2\x80\x99s contingency plan is workable, but causes an unnecessary\n      security risk. To deal with power failures that occur periodically at\n      TTC, the approximately 30 staff are assigned regular metal keys,\n      as well as key cards, and either will work to gain entry into and\n      within TTC facilities. If a metal key is lost, which happened\n      recently, all locks at TTC must be rekeyed. Furthermore, the metal\n      key is a standard key that can easily be copied by a locksmith.\n\n      In contrast, two of NRC\xe2\x80\x99s regional offices that have uninterruptable\n      power supplies also assign metal keys to certain staff to be used if\n      there is a complete power failure. In one region, the keys will not\n      work unless there is such a failure. In the other region, usage of\n      the keys in the absence of a complete power failure triggers an\n      alarm.\n\n      Keys Used Instead\n\n      Staff are given metal keys as a backup to use in the event of power\n      failure at TTC because the facility lacks an uninterrupted backup\n      power supply that would activate during a power outage.\n\n\n\n                                25\n\x0c                                        Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nSecurity Is Weakened\n\nBy relying on standard metal keys as a backup to TTC\xe2\x80\x99s badge\nreader system, the agency risks that keys will be lost or duplicated\nand used to gain unauthorized access to TTC facilities.\nFurthermore, because employees always have the option to\noverride ACCESS by using a key for entry, the agency lacks an\naccurate record of access into and within TTC facilities. Replacing\nthe metal keys with an uninterruptible power supply backup will\nenhance security at TTC and reduce the burden on staff who\nperform quarterly inventories of the keys assigned to TTC\nemployees.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n16.   Assess the cost effectiveness of providing power backup for\n      the TTC badge access system.\n\n17.   Alternatively, limit distribution of keys to a smaller number of\n      TTC staff and use security keys that cannot easily be\n      duplicated.\n\n\n\n\n                          26\n\x0c                                            Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nIV. AGENCY COMMENTS\n\n       At an exit conference held December 19, 2006, agency managers\n       agreed with the audit findings and recommendations and provided\n       comments concerning the report. We modified the report as we\n       determined appropriate. NRC opted not to submit formal written\n       comments to this final version of the report.\n\n\n\n\n                               27\n\x0c                                                Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n      1.    Perform an annual assessment of the user list for ACCESS and\n            modify it appropriately in accordance with least privilege\n            guidance.\n\n      2.    Require separate user IDs for each user.\n\n      3.    Assess the cost-effectiveness of updating the field office\xe2\x80\x99s\n            version of software to allow multiple user IDs with the same role,\n            and install the updated version if assessment indicates benefits\n            exceed costs.\n\n      4.    Define and document user roles and associated rights.\n\n      5.    Institute quarterly quality assurance reviews of system data to\n            ensure that system data is accurate with regard to special\n            access areas, terminated employees, and terminated\n            contractors.\n\n      6.    Conduct quarterly reviews of super user lists, modify\n            appropriately, and send to special access points-of-contact.\n\n      7.    Provide official agency list of departures to all field office\n            badging officials to facilitate removal of terminated employees.\n\n      8.    Write and implement badge access system operating\n            procedures that provides system user guidance and addresses\n            the preceding three recommendations.\n\n      9.    Conduct daily reconciliations of temporary badges and disable\n            access for badges not returned.\n\n      10.   Replace the current visitor badges with expiring paper badges.\n\n      11.   Include clauses in new contracts imposing a financial penalty for\n            badges not returned.\n\n      12.   Reiterate to NRC project officers the need to notify DFS\n            immediately when a contractor no longer needs access to NRC\n            facilities.\n\n      13.   In accordance with NRC requirements for listed systems,\n            develop an ACCESS system security plan and appoint an\n            Information System Security Officer.\n\n\n                                   28\n\x0c                                            Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n14.   Develop documentation to support the ACCESS interim\n      authority to operate.\n\n15.   Complete the actions necessary to address the ACCESS\n      weaknesses contained in the penetration test report.\n\n16.   Assess the cost effectiveness of providing power backup for the\n      TTC badge access system.\n\n17.   Alternatively, limit distribution of keys to a smaller number of\n      TTC staff and use security keys that cannot easily be\n      duplicated.\n\n\n\n\n                             29\n\x0c                             Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              30\n\x0c                                                 Audit of NRC\xe2\x80\x99s Badge Access System\n\n\n                                                                       Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors evaluated NRC\xe2\x80\x99s badging and card reader system to\n       determine whether the system meets its required operational\n       capabilities and provides for the security, availability, and integrity\n       of the system data.\n\n       The Office of the Inspector General audit team reviewed relevant\n       criteria, including NRC MD 12.5, \xe2\x80\x9cNRC Automated Information\n       Security Program,\xe2\x80\x9d MD 4.4, \xe2\x80\x9cManagement Controls,\xe2\x80\x9d MD 12.1,\n       \xe2\x80\x9cNRC Facility Security Program,\xe2\x80\x9d and MD 12.3, \xe2\x80\x9cNRC Personnel\n       Security Program.\xe2\x80\x9d Other relevant criteria related to the\n       management controls required for the badge access system\n       includes Office of Management and Budget Circular No. A-123,\n       \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control.\xe2\x80\x9d\n\n       Auditors interviewed Office of Administration and OIS staff to learn\n       their roles and responsibilities as they pertain to ACCESS.\n       Auditors also interviewed TTC, regional, and headquarters staff\n       with roles in NRC\xe2\x80\x99s badging process to assess their understanding\n       of the process and assess whether their day-to-day activities are\n       conducted in accordance with requirements.\n\n       Auditors reviewed the badging process as implemented in\n       headquarters, regional offices, and the TTC to assess whether the\n       NRC\xe2\x80\x99s process and procedures met system security objectives.\n       Auditors also reviewed and analyzed system data concerning\n       access rights and entry into special access building areas.\n\n       This work was conducted from May 2006 through October 2006, in\n       accordance with generally accepted Government auditing\n       standards and included a review of management controls related to\n       the audit objective. The work was conducted by Beth Serepca,\n       Team Leader; Judy Gordon, Audit Manager; Vicki Foster, Senior\n       Management Analyst; and Rebecca Underhill, Auditor.\n\n\n\n\n                                   31\n\x0c'